:
Thank you, Mr. Chair, committee, for allowing us to come today to talk about issues related to your review of PIPEDA. I don't think we'll be very long in our opening remarks. Our issues are pretty specific. We just really want to raise those for you, and we'll be happy to try to answer any questions.
Very briefly, the Canadian Resource Centre for Victims of Crime is a national non-profit advocacy group for victims. We work with victims from across the country in providing direct advocacy services. We also try to raise issues with all levels of government, advocate on behalf of victims to promote their rights and their interests, and promote laws to better protect them. It's that latter role that I'm here in today, to try to promote some amendments and raise some awareness on issues that we think require some attention to better protect children, in this case, from Internet child sexual exploitation.
I should mention that we are funded by the Canadian Police Association. We have been sponsored by the police association since 1993, so we have had a lot of interaction with various law enforcement officers across the country. Some of those are investigators who work directly with these issues.
Contrary to a lot of public opinion, I think what law enforcement unfortunately faces on a day-to-day basis in dealing with these issues is not children frolicking on beaches or pictures of kids running around in their underwear; it is the rape and torture of children, sometimes babies, by men, and often their fathers or uncles. Those images are kept and put on the Internet for anyone and everyone to see. They are traded like baseball cards. There are thousands of images of children all around the world. Last week, we saw a huge bust resulting from Australia that has had impacts in many countries, Canada included.
One of the issues we want to speak to today is what the impact of PIPEDA is on law enforcement's efforts to try to address these issues. In our interaction with the members of the Canadian Police Association that we deal with from time to time, and also in following media reports, it seems there is some confusion with regard to the PIPEDA legislation and whether or not Internet service providers can or should provide information to law enforcement regarding subscriber information, like people's names and addresses. It's our position, very succinctly, that ISPs should frankly not have discretion to share that information with law enforcement efforts. At the very least, with this legislation, we need to make it clear that ISPs can and should share information.
We have provided a brief. I apologize for not getting it to you sooner so that it could be translated, but we have left copies with the clerk.
The issue of child pornography has been raised in various committees over the last couple of years. We sent a brief to all members of Parliament six or seven years ago about child pornography, along with some recommendations that we had made at that time. Some of them have been implemented, like the creation of a luring offence and the creation of a national tip line, which is now in operation and had I think 6,000 tips in the first year of operations alone.
Various other committees have heard from experts who have far more expertise in this area than us. I just want to read a very quick quote from OPP Detective Inspector Angie Howe, who spoke to a Senate committee in 2005 on , which had a variety of different measures, some of them regarding child pornography. What she said then was:
The images are getting more violent and the children in the photos are getting younger. As recently as one year ago, we did not often see pictures with babies, where now it is normal to see babies in many collections that we find. There is even a highly sought-after series on the Internet of a newborn baby being violated. She still has her umbilical cord attached; she is that young.
I say that not to shock you or disgust you—although I suspect you are disgusted—but just to really get the message across of what it is law enforcement is fighting.
In our efforts to raise these issues, we have heard of the notion of Big Brother and that law enforcement wants access to all this information. What they're doing every single day is sitting in front of a computer, sifting through tens of thousand of images. One accused person could have 10,000 images of children being raped and tortured. That's what law enforcement is dealing with, and those are the children we come here today to try to speak for.
You're dealing with PIPEDA, which is an act relating to privacy. Can you imagine any greater violation of your privacy than having the most awful images of you captured for anyone and everyone to see? Unfortunately, no one is speaking for those children. No one is talking about their privacy rights.
We have a Privacy Commissioner who I'm sure does an absolutely fabulous job on a variety of issues, but as far as I know, she has not once spoken for those children. Later, I'll refer to a letter she wrote to us about the PIPEDA legislation and what the discretion really is for ISPs.
In the letter, she says that ISPs may look at this on a case-by-case basis—frankly, a case-by-case basis is not good enough for us anyway—but nowhere did she talk about what her office is doing to raise the interests of those children. No one is speaking for them, and that's one of the reasons why we came here today. We're here to try to lend a voice to their concerns and their issues. What's being been done to protect their privacy rights? We have to balance that with the privacy rights of Internet users, but part of the equation has to be the privacy interests of those children.
The issue for us has been raised in the media by law enforcement and in a couple of court cases. It's with respect to subsection 7(3) of the legislation, which sets out the provisions where an organization may disclose personal information. The first condition, as you will see, is with a warrant. Obviously, if police go get a warrant, then the ISP has to comply.
There is, unfortunately, some confusion with the second stipulation, which refers to a response to a request by a government institution that has lawful authority to obtain the personal information for the purpose of enforcing a law, carrying out an investigation, or gathering intelligence. It's that issue of “lawful authority” I think that has led to some confusion, and our basic suggestion to you is to clarify that.
There was a case in Ontario in which Toronto police were investigating someone. They sent a letter of request for information, pursuant to a child exploitation investigation, to Bell Canada. Bell Canada cooperated with that and provided information to the police, but this was challenged in court. At that time, the court said that the section I referred to does not establish what “lawful authority” is. The court went on to say that really, in that court's mind, a warrant was needed. Fortunately, that decision was overturned by a higher court. And just for your information, the search led to the discovery of a large child pornography collection.
But that's the issue that this committee should task itself with. What is lawful authority? If law enforcement were here to speak to this—and I would encourage you to actually have some of the investigators come to talk about their experiences with PIPEDA—I think what you will find is that a lot of the larger ISPs tend to cooperate with law enforcement even if they don't get warrants but just have letters of authorization. Not all of them do, though. For some ISPs, use of PIPEDA is left to their interpretation. We're asking for your committee to clarify that or recommend that it be clarified.
People ask why police don't just get warrants. One of your previous witnesses, I think from the industry department, referred to the speed with which these things sometimes happen. At the time, I think the chair actually asked a question about a case from St. Thomas, where there was live abuse going on with a child. Sometimes there just isn't time to go get a warrant.
The other thing, from our perspective, is that police don't need a warrant. What we're talking about is someone's name and address, which they can get off a licence plate. They don't need a warrant to get your name and address if they see you speeding away from the scene of a crime or failing to stop. Are we really going to give better protection or more enforcement for people who fail to stop than we are for those who might be abusing children?
In some jurisdictions, some pawn shops are required to have information about customers who come in and sell merchandise. That information can be used to track back stolen property. Is stolen property really more important than our children?
That's the basic thrust of our testimony here today. Again, we're not experts in law enforcement, but these are the concerns that law enforcement have expressed both publicly and to us, if you look at some of the media reports. Just last week, over this bust, you'll note that the head of the National Child Exploitation Coordination Centre, from the RCMP here in Ottawa, said we have to rely on ISPs to help us. Frankly, we don't think there should be any discretion for ISPs to help law enforcement, certainly in these cases. At the minimum, though, we would ask this committee to clarify subsection 7(3).
We would also ask that some consideration be given to perhaps amending the statement of principles of the legislation, to make it clear that the legislation was never intended to negate or interfere with the moral and ethical duties of companies. Companies will often complain about the costs of these things, about what it costs them to cooperate with law enforcement. It's our argument that we all have a duty to cooperate with law enforcement. We're seeing now, in British Columbia, twelve citizens potentially giving a year of their life to jury duty. We all have to do that. There are consequences and there are costs for us to do that.
We work with women who are abused by partners, who testify in court and put themselves sometimes at great risk to assist with the enforcement of the law. We're all part of the solution here, and I think it's incumbent upon ISPs to step up and do their part.
I can speak a little more to the cost issue if that's something you want me to speak to.
The last issue I would raise is whether this committee could use its influence to encourage the Privacy Commissioner to take a more active role in protecting the privacy interests of children.
Thank you, Mr. Chair.
:
Good morning, everyone. As Mr. Masnyk mentioned, my name is Bob Kimball and I'm the volunteer chair for the Insurance Brokers Association of Canada.
I come from a small town of about 4,500 people, Sussex, New Brunswick. I just want to give you a little perspective on where I come from. I have six employees in my office. That includes me and my wife. My father is an insurance broker. My three brothers are insurance brokers. I mentioned my wife is an insurance broker. Even my son is working in insurance, so it's a family business...small community. Insurance gets in your blood.
My goal this morning is to provide you with an industry perspective as well as a working perspective on these issues that you're challenged to look into.
First, I'd like to commend your dedication in serving the public on an important issue that affects Canadians.
Privacy is one of the cornerstones of our society and something that should never wilfully be compromised. We live in a world that is being transformed by the greatest evolution in technology in our history, and safeguards need to be in place to protect Canadians from any abuses of their privacy.
I'm here as an insurance broker, so I'll speak on how some of the issues before you affect our profession and our consumers of insurance.
I'd like to begin this morning with a comment on the general effectiveness of PIPEDA. Through our experience, I would suggest to the committee that PIPEDA works, and it works well. I can tell you that we've checked with our office, the Insurance Brokers Association of Canada, and we have not received a single complaint regarding privacy since PIPEDA came into effect. In addition, we have confirmed with the general insurance ombudsman that his office has not received a single complaint regarding breaches of privacy when it comes to brokerages. It's based on this that I'm of the opinion that the approach taken in the spirit and the intention of PIPEDA has been a correct one.
After the privacy legislation was passed in 2001, our association prepared and distributed a guide to all of our brokers dealing with the implementation of these provisions, and you all have a copy of it in the binder.
In addition, we had seminars and road shows that were offered to all of our brokerages across the country to help them implement the new requirements. Brokers have embraced the guidelines as a regular part of day-to-day business. As brokers, we strive to cover and protect our clients. This is what we do every day. We provide clients with peace of mind. We would not be in business if we did not do this well.
Under this protective coverage also comes our clients' personal information. I'd like to share with you what that means in an insurance broker's office. In my own office, as well as having all of the physical things looked after--bars on windows, alarm systems, metal filing cabinets, those types of things--we have long-term employees. My shortest-term employee has been with me for 10 years. I have one lady who's been with us for 43 years. So we have long-term employees. We're in a small town, so obviously we have to keep people's privacy utmost in our mind.
Our computer system, which has the information in it, is a proprietary system. It doesn't work on a Windows base. It's very different. There are about six or seven different insurance systems out there, and you have to know entirely how the system works in order to get any information out of it. There are multiple passwords. We have passwords to sign our computers on, to get into our insurance system, to access information. So we take privacy very much to heart.
I'd like to ask Mr. Fredericks to address some of the issues that are raised in your consultation, if I could, at this time.
Good morning, everyone. My name is Peter Fredericks. I'm the vice-president of our association. As is Mr. Kimball, I'm a working broker in Bedford, Nova Scotia, a town of about 28,000. There are five other brokers in my town, actually. I employ four people.
Our day-to-day operation, from a security and privacy standpoint, is very similar to Mr. Kimball's, so I won't go through that again with you.
We have three issues we would like to raise on the Privacy Commissioner this morning. The first is the actual role and mandate of the Office of the Privacy Commissioner. We believe the ombudsman model is the appropriate and effective model for this organization. We believe it is essential that parties have access to collaborative dispute resolution, and we believe it is a fair practice to have a judicious overseer.
The second issue we wish to bring up is work product. It's an area that we believe needs clarification. It's widely accepted that information obtained during the usual course of business is proprietary to the firm. The current law, we feel, is unclear both in the definition of work product and in the fact that it should be excluded from falling under personal information. Our position is that the analysis and expertise surrounding the use of personal information is proprietary to the broker and should not be included in personal information under the law.
Our third issue is with respect to duty to notify in the event of a breach of personal information. We concede and agree wholeheartedly that this is a sensitive topic for all Canadians. Our profession is one that is based on assessing risk and placing it with the proper coverages.
Our basic reason for being is to protect our clients, whether it's protecting their homes, their cars, their business, or of course their privacy. It just flows that a breach in privacy would necessarily involve assessing the degree of breach, informing a client, and mitigating any future breaches--it's key to our profession. We believe it just makes good business sense to follow this model. Because of the nature of the insurance industry, we believe that regulating this duty would be challenging at best and practically unworkable at worst.
For us, the bottom line is that if a briefcase containing three clients' files is stolen, obviously the broker involved is going to make every effort possible to assist those three customers and do whatever is right to make sure that information is protected. Our concern is being regulated by this body to contact, in my case, all 2,500 of my customers to inform them that three customers' files had been stolen.
Those are basically our concerns with the issues before you. We'd like to thank you very much for the opportunity to be here this morning. We're more than happy to answer any questions you may have.
:
Good morning, Mr. Chair, and thank you.
I have some prepared remarks I would like to put on the record, if you will permit me. There will be some overlap I think with my friends from the Canadian Resource Centre for Victims of Crime, but if you bear with me, I'll go through them.
As stated, my name is Clayton Pecknold. I'm a deputy chief constable with the Central Saanich Police Service in British Columbia. I'm the co-chair of the Law Amendments Committee of the Canadian Association of Chiefs of Police.
First let me thank you for granting the CACP the opportunity on such short notice to appear before you today. I understand you are coming to the latter stages of your work and no doubt have had much material placed before you. I will endeavour to keep my remarks focused and brief with that in mind. I also wish to convey to you, Mr. Chair and members of the committee, the compliments of our president, Mr. Jack Ewatski, who's the chief of the Winnipeg Police Service, and our executive director, Mr. Peter Cuthbert.
The Canadian Association of Chiefs of Police represents the leadership of policing in Canada. Our membership spans all levels of policing, from municipal to federal agencies, and includes approximately 90% of the chiefs, deputy chiefs, and other senior executives from our nation's policing community. The CACP is committed to promoting effective law enforcement in Canada to the benefit and safety and security of all Canadians. As part of this mandate, and to enhance the effectiveness of policing, the CACP is committed to legislative reform such as that which is before you today. We appear often on bills and participate with enthusiasm and at every opportunity to consult with government on matters pertaining to the law and policy having an impact on public safety.
As I have stated, I'll endeavour to limit my remarks and therefore will focus primarily on two sections of the act. Before moving to specifics, permit me some general comments both to provide illumination of the guiding principles under which the CACP carries out its mandate, but further to provide some comment about the general policing environment in Canada, so that this honourable committee may have some context in which to view our specific comments.
The overall goal of the CACP is to lead progressive change in policing through, among other things, the advocacy for legislative reform, the advancing of innovative solutions to crime and public order issues, and the promotion of the highest professional and ethical standards for its member agencies. Simply put, the CACP believes that preserving and respecting the rule of law and the Charter of Rights and Freedoms guarantees that we will maintain the continuing consent of the citizens we police.
With the foregoing in mind, allow me to state clearly that the Canadian police community is very mindful of the concerns of Canadians for their privacy. We, like all Canadians, understand that while the digital age has brought forth much benefit, the ease with which personal information flows across boundaries brings with it many challenges for law enforcement. My committee and other CACP committees, such as the electronic crime committee and the organized crime committee, are actively pursuing legislative and policy initiatives to combat privacy-related criminal activity such as identity theft and telemarketing fraud, to name but two.
As well, as police services have modernized our own electronic data collection and information-sharing practices, we have worked hard to place the appropriate safeguards in place to ensure we comply with both the spirit and intent of our various governing privacy acts and the fair information practices they enshrine. We are also mindful that Canadians have a growing awareness of the very real dangers posed to our society by organized crime, global terrorism, and, perhaps most alarming, the exploitation of our children by Internet predators and purveyors of child pornography.
To that end, the CACP continues to advocate for changes to our laws to provide a balanced and effective set of investigative tools to deal with the new challenges faced by law enforcement in the information age. While Canadians expect balance and restraint from their police, they also expect that we will have the tools available to us to keep them safe and serve the public interest.
Another point I would make is that policing is not strictly the enforcing of laws. While the investigation of crime and the apprehension of criminals is a key aspect of what we do, provincial police statutes in the common law recognize that the primary duty of a police officer is the protection of the public and the preservation of the peace. In pursuit of this we are often called upon to perform tasks that are of a social benefit. These include such tasks as notification of the next of kin, checks on the welfare of the elderly and infirm, assistance to child protection authorities, or working in collaboration with mental health professionals to assist in protecting vulnerable persons within our society. In any or all of these cases, police may need timely access to accurate information about an individual for the benefit of that individual or for some other public good.
Therefore, here are some key points I would ask that you draw from my opening comments.
First, the digital age and the new realities of the Internet and the free flow of personal information in electronic form pose many of the same challenges to effective policing as they do for other sectors of society and, we suggest, have brought with them new public safety challenges.
Second, police operate under the considerable scrutiny of the public, the courts, and other regulatory bodies. Every police agency in this country is governed by privacy legislation. We understand our responsibilities with respect to the protection of the privacy of Canadians.
Finally, while one may tend to think of policing in terms of enforcement of the criminal law, there are many everyday functions performed by the police that do not invoke the criminal law powers or the associated investigative authorities, yet are equally of service to the public good.
Now turning to the act specifically, I would like to comment on two areas: the disclosure by police of personal information without consent, and secondly, the disclosure of information police themselves request to the individual about whom the information was requested. Specifically, I'm talking of sections 7 and 9.
As you know, paragraph 7(3)(c) permits organizations to disclose personal information without the knowledge or consent of the individual, where a court order exists. Police do frequently seek information with prior judicial authorization under search warrant or production order when the information is of a nature that attracts section 8 of the charter protection and of course where they can meet the legal threshold for obtaining such an order. But as noted, there are occasions in which information sought does not attract section 8 protection. One example of this is hydro power usage, which may indicate the theft of electricity or operation of a marijuana grow-op. There is some good authority from the courts that a warrant is not required for this information.
In another example, a police officer may be in the early stages of a missing person investigation, in which he or she is trying to determine if in fact a crime has occurred. Perhaps we may have to solicit the assistance of a financial institution because we need to know if that person bought gas at a particular gas station or if the person used a credit card, or perhaps we need to find out if a person has a cell phone registered to him with a particular company. For this information we rely on paragraph 7(3)(c.1), which permits disclosure upon lawful authority, as my friend has already noticed. However, we are increasingly seeing some companies interpreting lawful authority to mean that a warrant or court order is required before they comply. This is an interpretation that is not, in our respectful view, consistent with the intent of the drafting of the act. Such an interpretation by companies, while no doubt grounded in a legitimate desire to protect their customers' privacy, is overly restrictive and defeats, in our view, the intent of paragraph 7(3)(c.1). That section is intended to be permissive and give guidance to the holder of the information to ensure that there is some legal basis upon which the police are requesting the information. That legal basis may be a criminal investigation and may involve the service of a court order, in which case paragraph 7(3)(c) would apply, or it may be pursuant to our many other duties, in which case we suggest that paragraph 7(3)(c.1) contemplates a situation in which a warrant is not required or indeed available. It does so by using the term “lawful authority” and differentiating between the enforcement of a law and the carrying out of an investigation relating to the enforcement of the law.
It is important to note at this juncture that the police are always restrained by the rules of evidence, and wherever there is an expectation that information is to be used for criminal prosecution, we are careful to ensure we do not jeopardize the subsequent prosecution by obtaining evidence in a manner that would otherwise require a warrant.
The second section concerned is section 9, which provides that a person may have access to his information possessed by the company, including whether the company has disclosed that information to another party, including the police. There is, of course, a provision that permits the objection by law enforcement to disclosure of the fact that a request had been made for the information, but as we understand it, the prevailing view of that section and the cumulative effect of that section are that protection is triggered only when the individual actually makes a request. In our view, there is nothing preventing a company from adopting a policy of voluntary notice to customers that the police had requested and received information. This is, as you can no doubt appreciate, of concern for us, most especially when there's an ongoing and sensitive investigation or the information was requested for intelligence purposes.
For purposes of the end result, we are requesting that the committee consider clarifying the ambiguity in sections 7 and 9. First, we respectfully suggest you consider clarifying the term “lawful authority”, either within the definitions section of the act or by employing some other wording, which would clearly demonstrate that a warrant is not required. This is recognizing, of course, that section 7 is permissive and that companies are not compelled to provide the information. Such clarification would serve primarily to give them some comfort in their efforts to be good corporate citizens and, where appropriate, assist in matters of public safety.
With respect to section 9, one possible suggestion is that an amendment be made to generally prohibit the disclosure to an individual that the police have requested or received information, regardless of whether the request is made by the individual. Provision could be made for the police to consent and not unreasonably withhold that consent. Such an amendment would also help clarify the obligations of companies, of course.
In closing, it is important to notice that the vast majority of organizations covered by the act strive to be good corporate citizens. Police across this country work closely with all members of their respective communities, corporate or otherwise, to maintain professional and cooperative relationships. This is a key component of good police work.
In keeping with this, it is important that all parties have a clear understanding of their duties and obligations with respect to protecting Canadians' privacy. Clarity of language in the act will go far in ensuring the appropriate balance between the protection of that privacy and the needs of public safety, by making sure the right information goes to the right people at the right time and according to the law.
Once again, on behalf of the Canadian Association of Chiefs of Police, thank you for the opportunity to comment.
:
There's a bit of a crossover on this issue, especially with respect to cost during the ongoing lawful access consultations we've had over the last number of years, which my friend alluded to, the Modernization of Investigative Techniques Act, the bill that was introduced by the previous government.
The Telus Mobility case is going before the Supreme Court of Canada, actually. That's the case that dealt with the imposition of a fee by Telus at the time as a precondition for complying with an order for production of data. The Supreme Court, it is my understanding, has granted leave to appeal. The CACP is considering intervening in that case.
What we found is that the deregulation of the telecommunications industry has produced a lot of small players in the industry. We have consulted with them, and we're mindful of the challenges they have in complying with requests from law enforcement. A lot of these ISPs are mom and pop operations, and they operate on a very thin margin, profit-wise. They tend to be good corporate citizens, and we know that. They want to comply, but there's an impact to complying.
We do find also, though, that there's perhaps some concern with respect to their liability if they produce information without a warrant, when in fact a warrant isn't required or we don't have a warrant available. We try to give them some comfort and clarity as to what's required.
By and large, we do run into some challenges, that's true. There are probably no doubt examples of blatant disregard, but I would say those are the exceptions, not the rule. That's why we look for clarity in terms of the tools, and we look for the tools necessary to get the information to us. The other concern, obviously, is that ISPs' data is erased quickly, so we need to get to it quickly. That's an area of concern for us that the MITA legislation was intended to address as well.
:
Thank you for the opportunity to respond to that. Perhaps I'll try to provide some clarity of our view on that.
Our view is that whenever information is of the type that attracts section 8 of the charter protection, the right to privacy protection, or the right to be free from unreasonable search and seizure, the Supreme Court of Canada has clearly stated that the police require a warrant; they require prior judicial authorization. It gives guidance in Hunter v. Southam; it gives guidance on what type of information it is.
What we are talking about here is access to information that does not attract that threshold, so the threshold is built in. We don't require a warrant for information on customers' names and addresses. That threshold is not there. The courts have said we don't need a warrant to get that information.
This is not a case of people's bank records, how much money they earn, or what their sexual preferences are. We absolutely require warrants for those things and will continue to require them. Otherwise the information is not admissible in court, in any event. So we're under the supervision of the court, and those protections are built in. It's clearly not our position that in this bill or any other bill we should be given the authority to access information of that nature without a warrant. We don't believe that. It's just not the way the law is in Canada, and we accept that.
What we're talking about in this case, for example, is our ability to go to a bank or an ISP and ask whether so-and-so is a customer, and whether he has an account there, yes or no. Then we carry out the investigation. That's the type of information we're seeking to have released to us.
As to my friend's discussion about a positive obligation to disclose things with respect to child pornography, we haven't put our minds to that, but it's certainly an area that this committee may wish to consider--a positive obligation on ISPs--but that would be a private duty.